custom hostgroups in soc

salt/firewall/soc/defaults_soc_firewall.yaml

@@ -0,0 +1,136 @@
+firewall:
+  custom_groups:
+    groups:
+      description: List of group names to create.
+      multiline: True
+      forcedType: "[]string"
+      global: True
+      title: Custom Firewall Groups
+      helpLink: firewall.html#host-groups
+  hostgroups:
+    analyst_workstations:
+      description: List of IP addresses or CIDR blocks to allow analyst workstations.
+      file: True
+      global: True
+      title: Analyst Workstations
+      helpLink: firewall.html#host-groups
+    analyst: 
+      description: List of IP addresses or CIDR blocks to allow analyst connections.
+      file: True
+      global: True
+      title: Analyst
+      helpLink: firewall.html#host-groups
+    beats_endpoint:
+      description: List of IP addresses or CIDR blocks of standard beats without encryption.
+      file: True
+      global: True
+      title: Beats Endpoints
+      helpLink: firewall.html#host-groups
+    beats_endpoint_ssl:
+      description: List of IP addresses or CIDR blocks of standard beats with encryption.
+      file: True
+      global: True
+      title: Beats Endpoints SSL
+      helplink: firewall.html#host-groups
+    elastic_agent_endpoint:
+      description: List of IP addresses or CIDR blocks for Elastic Agent connections.
+      file: True
+      global: True
+      title: Elastic Agents
+      helplink: firewall.html#host-groups
+    elasticsearch_rest:
+      description: List of IP addresses or CIDR blocks to allow access directly to Elasticsearch.
+      file: True
+      global: True
+      title: Elasticsearch Rest
+      advanced: True
+      helplink: firewall.html#host-groups
+    endgame:
+      description: List of IP addresses or CIDR blocks to allow Endgame access.
+      file: True
+      global: True
+      title: Endgame
+      advanced: True
+      helplink: firewall.html#host-groups
+    strelka_frontend:
+      description: List of IP addresses or CIDR blocks to allow access to the Strelka front end.
+      file: True
+      global: True
+      title: Strelka Frontend
+      advanced: True
+      helplink: firewall.html#host-groups
+    syslog:
+      description: List of IP addresses or CIDR blocks to allow syslog.
+      file: True
+      global: True
+      title: Syslog Endpoint Traffic
+      helplink: firewall.html#host-groups
+    standalone: 
+      description: List of IP addresses or CIDR blocks to allow standalone connections.
+      file: True
+      global: True
+      title: Standalone
+      advanced: True
+      helpLink: firewall.html#host-groups
+    eval: 
+      description: List of IP addresses or CIDR blocks to allow eval connections.
+      file: True
+      global: True
+      title: Eval
+      advanced: True
+      helpLink: firewall.html#host-groups
+    idh: 
+      description: List of IP addresses or CIDR blocks to allow idh connections.
+      file: True
+      global: True
+      title: IDH Nodes
+      helpLink: firewall.html#host-groups
+    manager: 
+      description: List of IP addresses or CIDR blocks to allow manager connections.
+      file: True
+      global: True
+      title: Manager
+      advanced: True
+      helpLink: firewall.html#host-groups
+    heavynodes: 
+      description: List of IP addresses or CIDR blocks to allow heavynode connections.
+      file: True
+      global: True
+      title: Heavy Nodes
+      helpLink: firewall.html#host-groups
+    searchnodes: 
+      description: List of IP addresses or CIDR blocks to allow searchnode connections.
+      file: True
+      global: True
+      title: Search Nodes
+      helpLink: firewall.html#host-groups
+    sensors:
+      description: List of IP addresses or CIDR blocks to allow Sensor connections.
+      file: True
+      global: True
+      title: Sensors
+      helpLink: firewall.html#host-groups
+    receivers: 
+      description: List of IP addresses or CIDR blocks to allow receiver connections.
+      file: True
+      global: True
+      title: Receivers
+      helpLink: firewall.html#host-groups
+  portgroups:
+    portgroups__yaml:
+      description: Port Groups
+      file: True
+      global: True
+      advanced: True
+      title: Port Groups
+      syntax: yaml
+      helpLink: firewall.html#function
+  ports:
+    ports__yaml:
+      description: Ports in YAML.
+      file: True
+      global: True
+      advanced: True
+      title: Ports
+      syntax: yaml
+      helpLink: firewall.html#port-groups

salt/firewall/soc/init.sls

@@ -0,0 +1,5 @@
+soc_firewall_yaml:
+  file.managed:
+    - name: /opt/so/saltstack/local/salt/firewall/soc_firewall.yaml
+    - source: salt://firewall/soc/soc_firewall.yaml.jinja
+    - template: jinja

salt/firewall/soc/soc.map.jinja

@@ -0,0 +1,2 @@
+{% import_yaml 'firewall/soc/defaults_soc_firewall.yaml' as DEFAULT_SOC_FIREWALL %}
+{% set SOC_FIREWALL = salt['pillar.get'}('firewall:custom_groups:groups', DEFAULT_SOC_FIREWALL.firewall.hostgroups, merge=True) %}

salt/firewall/soc/soc_firewall.yaml.jinja

@@ -0,0 +1 @@
+{% from 'firewall/soc/soc.map.jinja' import SOC_FIREWALL %}